12

Background: The only thing I can find on how to do this relates to RDP on windows 2008, which seems to have something called "Remote Desktop Session Host Configuration" in Administrative Tools. This does NOT exist in windows 2012 and there appears to be now way to add it via a MMC as well. I read here for 2008, using RDS Host Config, you can just it off.

Question: So, in windows 2012, how can you turn off TLS 1.0, but still be able to RDP into a Windows 2012 server?

Originally, my understanding is that ONLY TLS 1.0 was supported in Win2012 RDP. However, TLS 1.0 according to PCI is no longer allowed. This was supposed fixed for Windows server 2008r2 according to this article. However, this does not address Server 2012 that doesn't even have an administrative gui apparatus to make changes to the protocols that RDP will use that I'm aware of.

Community
  • 1
Michael Barber
  • 165
  • 2
  • 3
  • 10

3 Answers3

7

Disabling TLS is a system-wide registry setting:

https://technet.microsoft.com/en-us/library/dn786418.aspx#BKMK_SchannelTR_TLS10 

Key: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server  
Value: Enabled  
Value type: REG_DWORD
Value Data: 0

Also, the PCI requirement for disabling early TLS does not go into effect until June 30, 2016.

Internet Explorer is one product I know of that has a separate configuration option for the TLS/SSL encryption settings. There may be others.

I have a Windows 2012 R2 server with TLS 1.0 disabled and I can remote desktop to it.

If you are wondering, below is a screenshot of tsconfig.msc on a Windows 2008 R2 server that has KB3080079 installed. There's nothing to configure because the only thing the update did was add support for the other two TLS encryption levels so that when TLS 1.0 is disabled it continues to work.

enter image description here

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • Your instructing are how to disable TLS 1.0 "server wide" and not specific to RDP. If I follow them, I can no longer access the server via RDP. This could very well be that RDP is still using TLS 1.0 despite it being disabled as a SChannel which kinda goes back to the question of how to make sure it is ALSO changed, or notified back to RDP. – Michael Barber Nov 04 '15 at 21:38
  • Ok, you are right. It looks like its working if the RDP client is at ver 8 and not 7.1 per the KB. It is "unfortunate" that Microsoft took away this control that was available earlier. Very disappointed in Win-server 2012 - it feels like a step down to Win-server 2008 – Michael Barber Nov 05 '15 at 17:25
  • @MichaelBarber You were asking about Win 2012, but then your comment above is about 2008 ? For clarity, did you disable TLS 1.0 on Windows 2012 Standard R2 with out any issue ? e.g were you still able to Remote Desktop to the server ? – neildt Jan 15 '16 at 10:18
1

If you disable TLS 1.0 and want RDP to keep working, then using local Group Policy Editor you have to select the "Negotiate" Security Layer for RDP in "Computer Configuration\Administrative Templates\Windows\Components\Remote Desktop Services\Remote Desktop Session Host\Security" "Require use of specific security layer for remote (RDP) connections." and also select "Enabled". This also works in 2012R2.

user346630
  • 11
  • 1
1

After almost a year, I finally figured out a working solution for disabling TLS 1.0/1.1 without breaking RDP and Remote Desktop Services connectivity.

Run IISCrypto and disable TLS 1.0, TLS 1.1 and all bad ciphers.

On the Remote Desktop Services server running the gateway role, open the Local Security Policy and navigate to Security Options - System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing. Change the security setting to Enabled. Reboot for the changes to take effect.

Note that in some cases (especially if using self signed certificates on Server 2012 R2), the Security Policy option Network Security: LAN Manager authentication level may need to be set to Send NTLMv2 responses only.

Let me know if this works for you as well.

cardiothoracics
  • 124
  • 2